Re: Possibility to cache ca-bundle and reuse it between SSL sessions?

Wed, 25 Jun 2014 06:28:33 -0700 

On 2014-06-25 at 15:06, Michel <msa...@paybox.com> wrote:

> Excerpt from the book : "Network Security with OpenSSL" :
> 
> "An SSL_CTX object will be a factory for producing SSL connection objects.
> This context allows us to set connection configuration parameters before the 
> connection is made, such as protocol version, certificate information, and 
> verification requirements.
> It is easiest to think of SSL_CTX objects as the containers for default 
> values for the SSL connections to be made by a program.
> …

Thanks for the reminder. But I read the OpenSSL manual pages already, of course 
- but as the documentation of OpenSSL is (to be honest) really bad, I wanted to 
make this absolutely clear.

> In general, an application will create just one SSL_CTX object for all of the 
> connections it makes."
> 
> And Yes, this is also true for multithreaded connections, as long as we are 
> aware of :
> https://www.openssl.org/docs/crypto/threads.html

Ok, but then please allow the question how I should deal with 

SSL_CTX_set_cert_verify_callback(sslCtx, func, conn);

in that context? Because currently we use this function to define an own verify 
callback function and we supply ‘conn’ here as an application specific pointer 
argument (and extracting it via X509_STORE_CTX_get_app_data(x509_ctx) within 
the callback function) for filling in the individual results of the certificate 
verify process of a specific SSL connection. The problem that arises here is 
that this ‘conn’ pointer is connection specific in our case. That means I want 
to be able to use a connection specific ‘conn’ argument with 
SSL_CTX_set_cert_verify_callback(), but if I call this function once at the 
very beginning of my application I can only specify it once and calling 
SSL_CTX_set_cert_verify_callback() on the same sslCtx pointer for every 
parallel connection will of course overwrite the old setting.

So how can I specify an own app_data for every connection? IMHO there should be 
something like SSL_set_cert_app_data() so that I can specify different app_data 
for different SSL connections.

regards,
jens
-- 
Jens Maus, Dresden/Germany
http://jens-maus.de/

(Please note a real name change effective since 5.9.2013.
Former name: Jens Langner)

*** Content is authentic only with digital signature  ***

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to